The Internet of Things (IoT) is enabling more sophisticated capabilities through network-connected products and systems. As a result, electronic physical security products and systems are becoming more interconnected, connectable, and networkable. The security, performance and financial risks impacting products and services for public and private sectors and consumers alike are the key drivers to develop new safeguards in an ever-changing security threat landscape faced with growing risks.

According to many recent reports and the U.S. government, not only is there a rise in the number of cyber attacks occurring – the sophistication of them has also advanced. It is imperative that electronic physical security systems be evaluated for cybersecurity to help ensure reliability, decrease downtime, prevent damage to assets, mitigate risk, improve security, and maintain health and safety.

UL CAP is for manufacturers looking for trusted support in assessing security risks while they continue to focus on product innovation to help build safer, more secure products, as well as for owners, system integrators, and retrofitters who want to mitigate risks by sourcing products assessed by a trusted third party. The program allows vendors to concentrate on product innovation with emerging technologies and capabilities to meet the ongoing needs of the marketplace.

For increased flexibility, vendors can select the UL CAP services for electronic physical security systems best suited for their current needs:

Why Choose UL CAP for Life Safety and Physical Security

The UL CAP was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain. In fact, the UL CAP services and software security efforts are recognized within the U.S. White House Cybersecurity National Action Plan (CNAP) as a way to test and certify network-connectable devices within the IoT supply chain.

Early adoption of the UL CAP provides a competitive advantage in the marketplace and can help with mitigating risk including:

Unplanned downtime and loss of production

Costly harm to assets

Reputational damage

As a third-party provider, we reinforce a customer’s objective commitment to safety excellence, helping build buyer confidence through UL certification on products and systems.

Practical & Scalable Cybersecurity Solution

UL can help manufacturers identify security risks in a wide range of products, such as surveillance cameras, emergency communications systems, fire alarm systems, alarm receiving systems, intrusion detection systems and access control systems. The new UL 2900-2-3 specifications were developed in collaboration with the electronic physical security product manufacturers, asset owners, UL and other stakeholders. UL can now evaluate to these specifications as detailed in the new UL 2900-2-3Outline of Investigation for Software Cybersecurity for Network-Connectable Products, part 2-3: Particular Requirements for Security and Life Safety Signaling Systems for manufacturers, owners, and integrators.

UL 2900-2-3 provides a standardized approach to testing, evaluation, or certification methods by which the data security-related features of electronic physical security systems are evaluated at the product level and tested for known vulnerabilities, aiming to provide a reasonable level of confidence in the absence of known vulnerabilities and software weaknesses and the presence of appropriate risk controls. The output of UL’s work will allow the manufacturer to identify methods for mitigating those risks.

UL 2900-2-3 describes a three-tiered approach to the security requirements applicable to the product with an increasing level of security for each tier.

Level 1 (L1) includes the foundational cybersecurity testing requirements for security risk assessment of software in products covered in the Outline of Investigation. L1 is recommended as a minimum level of assessment.

Level 2 (L2) includes all of the L1 assessment and testing requirements and additional supplemental requirements for security risk assessment of software in products. L2 also provides an assessment of the security capabilities of a product with knowledge of internal security controls of the product.

Level 3 (L3) includes L1 and L2 assessment and testing requirements and additional supplemental requirements of the vendor process and management. It also provides an assessment of security capabilities of a product with knowledge of internal security controls of the product and knowledge of the business practices of the vendor to support the lifecycle of the product.

Tests include:

Fuzz Testing – A technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data, called fuzz, in an attempt to make the device operate in an unintended fashion.

Known Vulnerability – Detecting the presence of vulnerabilities described in the National Vulnerability Database (NVD).

Code and Binary Analysis – source code, bytecode or binary code is analyzed without executing the code to tests for known software weaknesses

Risk Controls

Access Control and Authentication – Confirmation that user credential techniques do not provide security holes

Cryptography – The product shall ensure the confidentiality of all sensitive data and personally identifiable data generated, stored, used or communicated by the product, including confirmation cryptographic algorithms are certified and up to date

Remote Communication – ensure the integrity and authenticity of all data communicated over any remote interface

Structured Penetration Testing – Customized penetration tests structured to the specific product being tested as it is dependent on all the previous testing (CWE’s and CVEs) and the risk assessment

Risk Assessment – Security risk management shall be established and documented during product design. This allows for an intermediate approach to apply the cybersecurity issues found to the specific product and how it is intended to be implemented and used. Vulnerabilities present, but not posing a cyber-risk, may be found acceptable without the need for corrections.

Why UL?

The facts

Science and knowledge-based company

Offering transparency through measurements and standards

Independent and trusted entity

Inside-out and outside-in approach from security development to testing

Experience in embedded SW security

Providing a complete offering, focusing on both product security as well as secure software development processes

The benefits

Protecting your business based on science, technology and SW/application security expertise. Basis of measurement founded on facts/science

Saving time and money by focusing on protecting the most critical parts of the business first

Electronic Physical Security System Product Evaluation Deliverables

Service

Deliverable

Training

UL 2900-2-3 Standard for Life Safety and Physical Security Systems. Best practices for identifying and mitigating risk associated with software vulnerabilities in life safety and physical security systems

Advisory

Summary of UL meeting and action items

Gap Analysis

Assessment of the current product specifications to the UL 2900-2-3 criteria

Testing

Test report based on some or all of UL 2900-2-3 requirements or customer specified requirements

Certification

“UL 2900-2-3 compliant” meeting all requirements

For questions and to get started with a quote, please contact ULCyber@ul.com.

Life Safety and Security

Around the globe, UL works to help customers, purchasers and policymakers navigate market risk and complexity. UL builds trust in the safety, security and sustainability of products, organizations, and supply chains – enabling smarter choices and better lives. In all we do, we apply science and expertise to enable the responsible development, production, marketing and purchase of the goods, solutions and innovations of today and tomorrow.